[Bug 1087546] [NEW] efivars filesystem gives more access than the exists vars directory

Stéphane Graber stgraber at stgraber.org
Fri Dec 7 03:28:47 UTC 2012 

Public bug reported:

There are currently two ways of accessing EFI variables on Ubuntu:
 - The old way, through /sys/firmware/efi/vars
 - The new way, through /sys/firmware/efi/efivars

Both provide access to the exact same variables and are available at the
same time.

One big difference however is that /sys/firmware/efi/vars/ is only root
readable with all files being owned by root:root with the file
permissions being 600.

With the introduction of efivars, anyone is now capable of reading any
of the EFI variables.


I'm not sure if there's a potential security problem with letting any user reading EFI variables, but in any case, the lack of consistency is a bit disturbing, so I think it'd be best to have efivars match the permissions of the same entries as exposed by sysfs.

** Affects: mountall (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mountall in Ubuntu.
https://bugs.launchpad.net/bugs/1087546

Title:
  efivars filesystem gives more access than the exists vars directory

Status in “mountall” package in Ubuntu:
  New

Bug description:
  There are currently two ways of accessing EFI variables on Ubuntu:
   - The old way, through /sys/firmware/efi/vars
   - The new way, through /sys/firmware/efi/efivars

  Both provide access to the exact same variables and are available at
  the same time.

  One big difference however is that /sys/firmware/efi/vars/ is only
  root readable with all files being owned by root:root with the file
  permissions being 600.

  With the introduction of efivars, anyone is now capable of reading any
  of the EFI variables.

  
  I'm not sure if there's a potential security problem with letting any user reading EFI variables, but in any case, the lack of consistency is a bit disturbing, so I think it'd be best to have efivars match the permissions of the same entries as exposed by sysfs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1087546/+subscriptions

More information about the foundations-bugs mailing list